scrub does not properly re-fragment unusual but valid IPv6 fragments, results in overlapping fragments
When scrub is enabled, a set of valid fragments can be re-fragmented improperly by scrub when exiting the firewall. Without scrub enabled, the packets are forwarded properly.
A patch for this has already been imported into 2.4, this report is for documentation purposes.
I originally reproduced the reported problem by crafting packets with Scapy, using packets from a submitted capture file as a template. The packets are two fragments of a single TCP SYN.With scrub disabled:
- First packet is 8 bytes, marked as bytes 0-7
- Second packet is 12 bytes, marked as bytes 8-19
- First packet is 12 bytes, marked as bytes 0-11
- Second packet is 8 bytes, marked as bytes 8-15
The same problem is present on stock FreeBSD 11 using pf with scrub.
The new behavior is valid. The receiver now sees three non-overlapping fragments (8b, 8b, 4b) because the fragment reassembly code re-fragments along the size of the largest fragment, rounded down to the nearest 8-byte multiple. This is done to ensure the firewall does not break PMTUD.